Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Computers are not intelligent. They only think they are.


devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationNico Williams

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.19.1698266050.2263420.kerberos@mit.edu>

 copy mid

https://www.novabbs.com/devel/article-flat.php?id=395&group=comp.protocols.kerberos#395

 copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: nic...@cryptonector.com (Nico Williams)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Wed, 25 Oct 2023 15:33:54 -0500
Organization: TNet Consulting
Lines: 28
Message-ID: <mailman.19.1698266050.2263420.kerberos@mit.edu>
References: <202310241950.39OJoa0Z000708@hedwig.cmf.nrl.navy.mil>
<3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu> <ZTiT0ub2uv5A/b4E@ubby21>
<202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTl7si0yfdU634sR@ubby21>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="4987"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=JMooeyli;
dkim=pass (2048-bit key,
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=ZbdtoGBL
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=GVLWbtLWEHbPcAcaeKCgCp82VrIYsnfjqGA1txChmT0dJaK0viA0mr2+cVdqdt4Zq0zitHH/CM5bfHZN0+qZLsI4DryktzFDntjcxzrCY8TKfJufQUpYxC4BzGC2++J29M3ZPAqxvRVEYuY6+eJwwDpRh7xoJTlNVcON5Cog5oel5/GY93b+WA1y0kwUfFTednHXcQQ00HcOiFZct8w4Zk/SHY0C6E+5vZN3et0KU3A3AmSpIY/cOwGO9vCPU07WCpuA8ULkNbW2w1VllpC3a4K3JuLdbtizDEfL/WyIbs4FRrFXUu7klBKBLgKkb+WVprUK+R9GA5PkVfTDswicvA==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=zjs4bMEP3BdN8mgAm2pSLz+PgZ8G1C6SbBp4LTKoKxM=;
b=JslvyQYaFN7GKFULXDpu7UmV/2Z7kjGwu/qCnNqr05TyhBrirpua8KffW4l1maZZ35QvjrPSSV5JcqEAYEN3Phwf6no7YhXTS6gjJTQTN6gZZlyPG2/xEdy1fbgQXlPT1XikESYqlIBYivbwdBkvr+/+b6UUgc8aR/n9v3ez9hC7DSEKqYyGNdsngDxANjwOwXwAdN8ZiH9jXxx/ZXUHV0IbEBD7jbe4KHyxoXdjuk/ETHxoYcby+d69Vc31aIYNYsuIvCqM4+eZzQ9Qz1dL+UGKOOBGq+ihsNeAKk2dsr6vjoLcWOkhY0CVDePv4Fp1YKncw1LywttZWe8jwIWnlw==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
23.83.209.80) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=zjs4bMEP3BdN8mgAm2pSLz+PgZ8G1C6SbBp4LTKoKxM=;
b=JMooeyli1yHE//Gv5g8dhPXd99wFpPHsBh3k3WBTs+0LrVITAIo7YxAos2DTWp/YfUxDMnNA+aPe+vcziZH/XqFECt0MurlBBLn4an/L0AJ3rYHmz9RsENfpoLQ5Dg1jGdEKFXB78wzt5lRX52j8pppgtzSs8YNKGKRLjI0loy8=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=kajIIX0pRU/4MzxukcyZsyE2W0oiNAHOhgwToguiZUvJ+AE74iUwDmdmZ7AK8PjJwnlmi0R+/7RvjdvXUrJhdUKV20Cm+GXrYNEjSPq7yfnuREAPKrhyUD4v307ajh+gZ+Esn/Vz+gyT6eVaB7YDIrMJb3fDuDFVv3vd9V7lRY9m1uPpJ90f8DqJazO54chTVlDa6opf78BOTlRQlrr9FyH9pQg6bdZeWbL1IGng7Yf7/pVd2ot7ygk5+C5Pg3Wal1ode2cfZG4EemtkQC/Wsr5/trAsl6mQE8pH+wt8jH5aYQjJdpqulkOJkJ8wFjVY96njLsFpIfi4mwhM2S7nIQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=zjs4bMEP3BdN8mgAm2pSLz+PgZ8G1C6SbBp4LTKoKxM=;
b=OUnuHqKGbvKJu1FtatJ+O6AXH58ZCsUgTjxNg4ZLlI3WpdMprTIVYgSNk/gixT+lcu0daKGCpvMFVd37P5KRjqkClPqnmtptVtyh32JhZj8cYFiaMUGGwi7wOtmGpvmeGmDv8K+3W/g17FF+o5LfUeJNTQ9fW3bZojV+S/n3Q1ywiqTBnZJpMyii+Q9N+/UHhFYL0/Q16NotLs5V3CjLNGVetROHYqAExQhqcghL+A2P1Zry2n1FzUFlmbl9Bc2n+AEjqgcf4AoJd2g6OIsmo0UG1dskSUPnR6yBR9xBxFHiBw67BkLNbE3/y6Fs2H1sDGzv8rdHOKGmzhqCHNGNAg==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
23.83.209.80) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
Authentication-Results: spf=pass (sender IP is 23.83.209.80)
smtp.mailfrom=cryptonector.com; dkim=pass (signature was verified)
header.d=cryptonector.com;dmarc=bestguesspass action=none
header.from=cryptonector.com;
Received-SPF: Pass (protection.outlook.com: domain of cryptonector.com
designates 23.83.209.80 as permitted sender) receiver=protection.outlook.com;
client-ip=23.83.209.80; helo=hamster.birch.relay.mailchannels.net; pr=C
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1698266037; a=rsa-sha256;
cv=none;
b=fn4Pc6W+HPY76Kq3/rtu6VNqL0fiOPZ/gS9KjgqDaFwOhbEJfDQsp6wf3bHL5a7q9xnUuT
jGz3xO43Egykva5wAiQBCT8yWO81D/ZE3ujvfUGc23BVC4ViRNGVnX9ONvJO/QdCP9eBYi
hMf9kqtekOCTqJXedPE8cSntxU210Rn8ERrz+Vj1HFIun3MRMIIPZ8r2edApaUBs7GCjcs
yThXiIeXX5x/66b/mV6QwxP2Bs8bRWU+VupYWlZoiLvlPFOw21y1Us0CvliRA8Vf2Ae5PV
pqc5HJCVRNrN11iiz4sQYhM72gsw3XLcjx+LD4hhqHjNrs6nQduTi56lTpIcEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=mailchannels.net; s=arc-2022; t=1698266037;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=zjs4bMEP3BdN8mgAm2pSLz+PgZ8G1C6SbBp4LTKoKxM=;
b=d1Z13EHOIaYndKPUndQ8xYE3VG5FQqpc+HLkuzzf04GlGeOJN3F0q/yp8K409mT/gFrbcK
ev60ouzEIjMP614OgfKAFuMaIBsMMyBsxrXK6+1Agg1gHAFdGLc2AQCqKG76830zE7Ay/a
lqWFUhs1jP1RK2GuNkYWM6mb4CYYdZGVAqJnm+MiS+VOnNyOzSreTXhOSy+KWq107LjQPB
1ltgaVAdZBT6mpHD1jVdtP0UkajgwGIyhNU9BU8TcVo5hkToNHcXvcS9dhcjflqu9ON8gY
5jgRuD8UXs1BIbWX3/pnzxpRglhzrcnN5SVFEgYj5gAv5foKZX7u3KxriIIasA==
ARC-Authentication-Results: i=1; rspamd-79d8cddc67-djptv;
auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Wiry-Duck: 12177e3966a2c73f_1698266037363_3847576374
X-MC-Loop-Signature: 1698266037363:3622004630
X-MC-Ingress-Time: 1698266037363
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com;
s=dreamhost; t=1698266037;
bh=zjs4bMEP3BdN8mgAm2pSLz+PgZ8G1C6SbBp4LTKoKxM=;
h=Date:From:To:Cc:Subject:Content-Type;
b=ZbdtoGBL01kKVs4kVIvIFG3GnY97zWeHVZc3rZAMo77HQUBCO3S/y11v23mQyUJSi
y2R6mDIL+F4p595oVYY0q6zrTY1FBvixAXnJYHfuRAWi5ADHGq1OLm7rQCG01JxGPU
UE+sDxIcPKkIlSe6JXXuEW2gJsJBVSWGdUbwkzHRr6PbpXDfJKaCqjCbusHN3DMh8k
R3NsKe2qYF0GT80+9ZJvHl2R9MZOBS2RmNP1SSauz6NjcD8YI0cGRB7sPo6pgwtSa9
GTmVJPq8ZHt9D/F1ic7aWKcId6ilFVYa4c37rwXugMwr+dM5GGcKrVqTXuKXyrVcV7
5wkWqdb27g7vg==
Content-Disposition: inline
In-Reply-To: <202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000E9DC:EE_|SA1PR01MB8561:EE_
X-MS-Office365-Filtering-Correlation-Id: a4caeeb6-e84c-4823-6756-08dbd599b766
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: zAkHLw1Xg8UPzKCVUZQ/CEFzExh7UIIvJf8PEDKT40p+9O0dQ2OBM2pJCqagZgnBPhB9h3fi2B9qsYwyuvXS/nSAIJLEl/Gpnzhgz2GsSXAJS0xWnju4hqxuCjBRWi6KaH1Bw/K5sED9IeMV70AyQaB4goH4jS/ISWY9aS93yEN9YCvEkcPOATwqbwqYNMqaAAyq/KhyTRy/IJRUqU1KM30KcHl2NImBTzUpF68+epyUvWctxvmZs1r4SLsHq19LhlkTAd1wklFTkA7QtUQJ+CWyA0bNcB36gAFl/Va9OM3uV/Ojewo0VTYrWkWGeve/Fxw9+bbVQXP4Q+gOaQhw8Y8Trxl/NNIL4fnT2bvkfCiVOzPuWAwgaO4iZ0og3L0SDyeCBYgbjcXVbPXkts/vcsXjwmPHgPBC0O9BFO9uYCGhgfyFFkhoNI8h+SjzXhdJXhTQslpNKNGbiKSFLqM2vqmMSewus3PEsBjA3AFUXbhLYtAr+ULYijhi+C/eFFvIER1ef/z1BYPxbj18GkZjpZu8ZzFOTIZ5eQdIXMMACZd6/AV7lIyxrA37m7/fYyL3xL6+3Y7RjgHlTbCT4VUnKZ9X37qkaExiHeY5XsZpy0CoZPmAIUfccYmFAArjcpldqIN1ly7HU86m5sd7vVkiTOowftq6mYSx2hvGsOjHb/mHHIxhy/H5OW/DE1tupOBZtTR2nMYtLpGd026vTSq9hg==
X-Forefront-Antispam-Report: CIP:23.83.209.80; CTRY:CA; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:hamster.birch.relay.mailchannels.net;
PTR:hamster.birch.relay.mailchannels.net; CAT:NONE;
SFS:(13230031)(4636009)(39860400002)(396003)(346002)(136003)(376002)(451199024)(61400799006)(48200799006)(64100799003)(70586007)(55016003)(86362001)(6266002)(336012)(2906002)(6862004)(356005)(7636003)(9686003)(498600001)(33716001)(26005)(9576002)(316002)(4326008)(5660300002)(8676002)(786003)(7596003)(956004)(68406010);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Oct 2023 20:33:58.2961 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a4caeeb6-e84c-4823-6756-08dbd599b766
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000E9DC.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR01MB8561
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <ZTl7si0yfdU634sR@ubby21>
X-Mailman-Original-References: <202310241950.39OJoa0Z000708@hedwig.cmf.nrl.navy.mil>
<3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu> <ZTiT0ub2uv5A/b4E@ubby21>
<202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
 by: Nico Williams - Wed, 25 Oct 2023 20:33 UTC

On Wed, Oct 25, 2023 at 08:51:29AM -0400, Ken Hornstein wrote:
> >While I'm on the subject of JWT, there are two reasons JWT is killing
> >Kerberos:
>
> Are you sure one of the most important reasons ISN'T that the GSSAPI is
> insanely complicted and people who look at it get confused and move to
> something else that is much simpler?

At $WORK that's definitely not the reason. It's the others I listed,
though the one about authz data is a flavor of the API complexity issue
only much worse: because not only is it insanely hard to get at authz
data when you can get at it, it's also often not possible at all. So
not just insanely complex, but often-not-even-possible.

And yet as simple as JWT is, it's also not:

- HTTP user-agents need to know how to fetch the rock that the server
asks them to fetch, and most of them don't know

(Which is basically why OIDC exists.)

This is fixable if anyone cares to bother, but then OIDC exists.

- HTTP user-agents that do know how to fetch the rock don't do rock
caching

Nico
--

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor